DARIAH Update. 9th FIM4R Workshop. Vienna, Novemer 30, Peter Gietz, DAASI International GmbH.

Transcription

1 DARIAH Update 9th FIM4R Workshop Vienna, Novemer 30, 2015 Peter Gietz, DAASI International GmbH

2 What is DARIAH? DARIAH: Digital Research Infrastructure for the Arts and Humanities One of the few ESFRI research infrastructures for the humanities (ERIC is in working mode by now) DARIAH s mission is to develop, maintain and operate an infrastructure in support of ICT-based research practices Infrastructure is administration, software and storage services but also Curricula and Methodology Working with communities of practice: humanities scholars supporting their VREs

3 Humanities VRE

4 Forschung und Lehre Advocacy e-infrastruktur DARIAH VCC Virtual Competence Centers Forschungsdaten DARIAH AAI Promotion et diffusion e-infrastructure Liaison education et recherche Management des contenus DARIAH-EU DARIAH-FR VCC Advocacy VCC Research and Education Advocacy Advocacy e-infrastruktur Forschung und Lehre Forschungsdaten VCC e-infrastructure VCC Scholarly Content Management Research and Education e-infrastructure Scholarly Content Management DARIAH-IE DARIAH-AT Advocacy Research and Education Advocacy Research and Education e-infrastructure Scholarly Content Management e-infrastructure Scholarly Content Management

5 DARIAH AAI Practice Current AAI set-up: a first version of an AA infrastructure has been deployed, based on two standards: LDAP (Lightweight Directory Acess Protocol) for authentication and authorization attributes deploying Open Source Software OpenLDAP SAML (Security Assertions Markup Language) for AAI within a federation including Web Single Sign-On feature deploying Open Source Software Shibboleth

6 DARIAH AAI Setup

7 VO Management and FIM in DARIAH

8 VO Management and FIM in DARIAH SP Proxy will make it easier for DARIAH Services to join Proxy SP SP SP

9 Current Challenge - European-wide federation edugain has too little outreach - Not every institution signs federation contracts - Not every Identity Provider releases personal attributes - Technologies for non-web-based access only almost there (ECP, STS, Moonshot, oauth2) - Fine grained access control on file level, observed within a data replication federation (= non web SSO)

10 New Access Control Architecture IdP DARIAH IdP User Attrs 2 AuthZ Attrs Browser 1 SP DARIAH T REP T 6 Access DARIAH Storage API 8 OAuth2 Client Credentials Grant Self-contained Access+Refresh Tokens Server-hosted Application Access 0 Client Credentials 3 + UserID RBAC + OAuth2 AS 4 T ValidateToken 7 T CheckAccess DARIAH Storage API IRODs Replication

11 Current figures We currently have >3100 Users (700 new since February) Still most do not log in via their home IdP It's easier (and sort of familiar) to create a new DARIAH account We currently have >250 different user groups (40 new since February) Every project usually uses three or four priviledge groups (thus ca. 75 projects ca. 15 new since February): X-users, X-contributors, [X-developpers], X-admins

12 How to make this a European-wide Infrastructure The management of the delegation is based on organisational roles (not groups) that are structured in a 3 level hierarchy : DARIAH Coordination Office as Top of hierarchy Each Country has a National Representative who is allowed to: Create and manage organisations and the organisation admin role Each Organisation in a country has a organisation admin Organisation admin is allowed to: Create and manage groups (of projects the organisation is leading) Create 'homeless'-accounts if needed Production ready Administration interface is there

13 New Features of User Management The Web-based administration and self-service interfaces have been improved, e.g. Distributed user management Better password forgotten processes Completed role based administration Concept of initial group is implemented Since the administration interface is actually used, new requirements pop up quite often

14 Screenshots of Selfservice and Administrationinterface

15

16

17

18

19

20

21 Yes: Responsive design

22

23

24

25

26

27

28

29 Sustainability There is the strong will to make DARIAH a sustainable infrastructure One of the 6 Project Cluster of DARIAHDE is DARIAH ehumanities Infrastructure Service Unit (DeISU) We will be working on organizational model and business model That service unit could well also operate AAI services

30 S1 S2 S4 S3 SP1 SP1 1 S6 S7 SP2 SP2 Contract Contract SLA SLA SLA 2 User Contract 4 ToU Project S5 3 SLA SLA SP3 SP3 Contract SLA SLA SLA SLA DeISU DeISU S8 User Contract ToU SLA Services Service Providers (SPs) Service Providing Contracts for DARIAH SPs Including SLAs and ToU DeISU and its services Service Providing Contract for users Including SLAs and ToU User Institutions Users

31 Summary DARIAH has a productive solution based on homeless-idp and attribute authority Distributed user and priviledge administration Roadmap for a sustainable service unit Policies that allow for integration into DFN-AAI and thus into edugain DARIAH is actively co-operating with AARC

32 Thank you for listening! Questions? Comments?